From d488a8adb72d15ae4c87826b7d3d7e36534ddac0 Mon Sep 17 00:00:00 2001
From: djm <djm@openbsd.org>
Date: Fri, 6 Oct 2023 03:25:14 +0000
Subject: [PATCH] Perform the softhsm2 setup as discrete steps rather than as a
 long shell pipeline. Makes it easier to figure out what has happened when it
 breaks.

---
 regress/usr.bin/ssh/agent-pkcs11.sh | 27 +++++++++++++++++----------
 1 file changed, 17 insertions(+), 10 deletions(-)

diff --git a/regress/usr.bin/ssh/agent-pkcs11.sh b/regress/usr.bin/ssh/agent-pkcs11.sh
index 91674c3a686..7a5664542b0 100644
--- a/regress/usr.bin/ssh/agent-pkcs11.sh
+++ b/regress/usr.bin/ssh/agent-pkcs11.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: agent-pkcs11.sh,v 1.9 2021/07/25 12:13:03 dtucker Exp $
+#	$OpenBSD: agent-pkcs11.sh,v 1.10 2023/10/06 03:25:14 djm Exp $
 #	Placed in the Public Domain.
 
 tid="pkcs11 agent test"
@@ -38,6 +38,7 @@ export SSH_ASKPASS
 unset DISPLAY
 
 # start command w/o tty, so ssh-add accepts pin from stdin
+# XXX could force askpass instead
 notty() {
 	perl -e 'use POSIX; POSIX::setsid(); 
 	    if (fork) { wait; exit($? >> 8); } else { exec(@ARGV) }' "$@"
@@ -45,18 +46,23 @@ notty() {
 
 trace "generating keys"
 RSA=${DIR}/RSA
+RSAP8=${DIR}/RSAP8
+ECPARAM=${DIR}/ECPARAM
 EC=${DIR}/EC
-$OPENSSL_BIN genpkey -algorithm rsa > $RSA
-$OPENSSL_BIN pkcs8 -nocrypt -in $RSA |\
-    softhsm2-util --slot "$slot" --label 01 --id 01 --pin "$TEST_SSH_PIN" --import /dev/stdin
+ECP8=${DIR}/ECP8
+$OPENSSL_BIN genpkey -algorithm rsa > $RSA || fatal "genpkey RSA fail"
+$OPENSSL_BIN pkcs8 -nocrypt -in $RSA > $RSAP8 || fatal "pkcs8 RSA fail"
+softhsm2-util --slot "$slot" --label 01 --id 01 \
+    --pin "$TEST_SSH_PIN" --import $RSAP8 || fatal "softhsm import RSA fail"
+
 $OPENSSL_BIN genpkey \
     -genparam \
     -algorithm ec \
-    -pkeyopt ec_paramgen_curve:prime256v1 |\
-    $OPENSSL_BIN genpkey \
-    -paramfile /dev/stdin > $EC
-$OPENSSL_BIN pkcs8 -nocrypt -in $EC |\
-    softhsm2-util --slot "$slot" --label 02 --id 02 --pin "$TEST_SSH_PIN" --import /dev/stdin
+    -pkeyopt ec_paramgen_curve:prime256v1 > $ECPARAM || fatal "param EC fail"
+$OPENSSL_BIN genpkey -paramfile $ECPARAM > $EC || fatal "genpkey EC fail"
+$OPENSSL_BIN pkcs8 -nocrypt -in $EC > $ECP8 || fatal "pkcs8 EC fail"
+softhsm2-util --slot "$slot" --label 02 --id 02 \
+    --pin "$TEST_SSH_PIN" --import $ECP8 || fatal "softhasm import EC fail"
 
 trace "start agent"
 eval `${SSHAGENT} ${EXTRA_AGENT_ARGS} -s` > /dev/null
@@ -83,7 +89,8 @@ else
 		chmod 600 $k
 		ssh-keygen -y -f $k > $k.pub
 		pub=$(cat $k.pub)
-		${SSHADD} -L | grep -q "$pub" || fail "key $k missing in ssh-add -L"
+		${SSHADD} -L | grep -q "$pub" || \
+			fail "key $k missing in ssh-add -L"
 		${SSHADD} -T $k.pub || fail "ssh-add -T with $k failed"
 
 		# add to authorized keys
-- 
2.20.1